Anthony Di Bello Yesterday at Moscone Center I walked by the former Gartner security
analyst who famously
pronounced nearly 10 years ago that “IDS is dead.”

So it was fitting to attend the keynote by RSA Chairman Art
Coviello and hear him say, “It’s past time for
us to disenthrall ourselves from the reactive and perimeter-based security
dogmas of the past and speed adoption of intelligence-driven
security.” He described a fact that’s inescapable
to all security professionals now, which is that alerting systems and point
solutions for threat response aren’t sufficient to respond to modern threats.
The time has come to change the way we perform incident response by using
rapidly accessible, actionable intelligence to make the stakes higher for hackers,
crackers, and thieves.

Anthony Di BelloNew software and services from Guidance Software fill a critical gap in information security by helping organizations respond automatically to security attacks and breaches, giving businesses and government agencies the capacity to react to thousands of events daily and reduce the time between a breach and incident response.

Guidance Software has connected EnCase® Cybersecurity version 4.3 with security information and event management (SIEM) systems to facilitate security automation. For example, when an attack or breach event is suspected, the SIEM system can now automatically trigger an EnCase® Cybersecurity forensic response, including exposing, collecting, triaging and remediating data related to threats — essentially taking action on or gathering data about a security event that might otherwise have been missed.
By automating incident response, organizations can collect actionable information about an attack, minimize data leakage and economic damage, and reduce the time needed to eliminate the threat and return an endpoint computer to a normal state.

According to a September 2011 Cost of Cyber Crime study by The Ponemon Institute, the average time to resolve a cyber attack in 2011 was 18 days. Shortening that duration could reduce the cost and impact of an attack, which the Ponemon study placed at $416,000 on average. Results of the study also showed that malicious insider attacks can take more than 45 days to contain.

"Time is of the essence when performing incident response, but today's security teams are constrained by the volume of attacks and the time it takes to initiate a response. Any delay in response means a potential for more damage and a loss of valuable data," said Victor Limongelli, president and chief executive officer, Guidance Software. "By automating forensic response EnCase® Cybersecurity enables security teams to achieve a real-time view of what was occurring on endpoints during an attack, even if the incident occurred over a weekend or in the middle of the night."

Organizations have three ways they can automate incident response using new features in EnCase® Cybersecurity:

-- Integration with ArcSight — The integration of EnCase® Cybersecurity with HP ArcSight Enterprise Security Manager (ESM) offers four pre-programmed, automatic functions, including forensic auto-capture of system memory, scanning for Internet history and cache files, scanning for personally identifiable information, and conducting a targeted forensic data audit of a system. Security managers can run these EnCase® functions and view results from a pull-down menu inside ArcSight ESM with a few mouse clicks, or they can set them to run automatically, without manual intervention, when an incident triggers a security alert.

-- Response Automation Connector — EnCase® Cybersecurity 4.3 includes the new response automation connector, which is an application-programming interface (API) that gives organizations the ability to integrate the software with other security alerting systems. Customers using the API can integrate all of EnCase® Cybersecurity's incident response capabilities into their SIEM environment and automate those functions that are most important to their security processes.

-- Response Automation Services — Guidance Software has also launched new professional services offerings to help organizations with other security alerting tools or unique staffing needs to automate response to security incidents using EnCase® Cybersecurity.

Anthony Di Bello
The objective of malware has moved from weapons of mass disruption, to weapons of ultimate stealth for data theft. Today, attackers want to go unnoticed. And they’ll do anything they can to get past traditional defenses. They’ll try to compromise your users through tainted links on social networking sites, or specially crafted email attachments, and even through infected USB drives. They’ll employ any means they can, and if they’re determined, they won’t stop until they succeed.

The software tools they use today include attack exploit code, Trojans, keystroke loggers, network sniffers, bots – whatever works to infiltrate the network and then ex-filtrate the desired data.

"The advanced attack is getting more pervasive. In our engagements and my conversations with peers we are dealing with more organizations that are grappling with international infiltration. Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere. I imagine anybody in the global 2,500 has this problem.”

Consider that quote again for a second: “Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere.”
Obviously, the goal of the malware is to slither past anti-malware defenses, and too often the attackers are successful.

This is why the ability to quickly detect and respond to infiltrations is more crucial than ever for an effective IT security program. And that makes digital forensics software central to those efforts. By being able to quickly determine the nature and cause of an incident, forensics software can be used to stop future incidents through the increased visibility into the network it provides.

This is where EnCase® Cybersecurity shines. EnCase® Cybersecurity offers enterprises a way to obtain actionable endpoint data related to an event before that data has a chance to decay or disappear from the affected endpoint altogether. EnCase® Cybersecurity can easily be integrated with an alerting solution or SIEM of choice (such as ArcSight ESM) to enable real-time visibility into relevant endpoint data the moment an alert or event is generated. This ensures security teams have instant access to information such as hidden processes running at the time the alert was generated, ports that were open at the time and more. The ability to see the entire picture in regards to what was occurring on an endpoint – at a specific moment in time – allows for a far more accurate incident impact analysis and a way to gain visibility into any given threat. Having a clear view into that moment in time leads to faster incident resolution rather than chasing cold trails.